3.14 Preventing Clickjacking and XFS Attacks

For information about Clickjacking and XFS attacks, see Section 8.2, Preventing Cross-Frame Scripting Attacks.

You can prevent both types of attacks by performing the following steps:

  1. In the /opt/novell/nids/lib/webapp/WEB-INF/web.xmlfile, add the following tomcat filter configuration below any existing filter configurations:

    <filter>
    <filter-name>TomcatSameOriginFilter</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>SAMEORIGIN</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>TomcatSameOriginFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

  2. Restart Identity Server.

  3. Use a browser header trace tool to validate if the required X-Frame-Options header has been added.

    HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Strict-Transport-Security: max-age=0
X-Frame-Options: SAMEORIGIN
x-content-type-options: nosniff
via-ESP: null,NIDPLOGGING.600105004 session33-C62485D33E58AD05D6F80C470E6A31D8, null,NIDPLOGGING.600105004 session33-C62485D33E58AD05D6F80C470E6A31D8,NIDPLOGGING.600105002 session220-C62485D33E58AD05D6F80C470E6A31D8
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2016 13:12:43 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 863
Date: Wed, 27 Apr 2016 13:12:43 GMT

NOTE:You can also use the SameOriginFilter filter to prevent these attacks. However, recommendation is to use the TomcatSameOriginFilter. The following is the snippet for SameOriginFilter:

<filter>
 <filter-name>SameOriginFilter</filter-name>
 <description>The NIDP server anti-clickjacking filter.This filter adds 'X-FRAME-OPTIONS: SAMEORIGIN' header to http responses, and prevents cross domain framing of web pages as best as possible depending on browser compatibility.</description>
  <filter-class>com.novell.nidp.servlets.filters.jsp.SameOriginFramingFilter</filter-class>
  <init-param>
      <param-name>activate</param-name>
      <param-value>True</param-value>
   </init-param>
</filter>
<filter-mapping>
                <filter-name>SameOriginFilter</filter-name>
                <url-pattern>/*</url-pattern>
</filter-mapping>